Contributor I

Re: Restricting Authentication Type on SSID

Thanks for your help.


I have gone for the two Radius Servers option.


  • One is existing within the Domain and only allows PEAP.
  • A new IAS Server has been added to the PKI and only allows Certificate Auth.

Testing shows this has the desired effect Laptops in the Domain can not authenticate on the "CERT" SSID and the iPads can not authenticate with the "USER" SSID. The two device types get appropriate User Role upon successful authentication.


This has an added benefit in that Domain and PKI management is carried out by different groups, therefore the support boundaries remain clear.




MVP Expert

Re: Restricting Authentication Type on SSID

Late to the game, but you could also utilize NAS-ID/NAS-IP fields in your RADIUS policy to use two different RADIUS auth policies on the same server. For me on my home lab RADIUS server, I use a NAS-ID of PEAP on my PEAP auth policy, and use NAS-ID of TLS on my TLS policy all on the same RADIUS server. This way, when a client authenticates to your PEAP SSID, the RADIUS auth request puts the NAS-ID field of PEAP in the request, and it will ONLY match on the RADIUS policy. You then configure the matching NAS-ID in the RADIUS server setup.

Jerrod Howard
Distinguished Technologist, TME
Occasional Contributor II

Re: Restricting Authentication Type on SSID

Hi guys,


Later yet... I've been trying to configure both types of authentition (PEAP and TLS), but neither is working yet. I issue the AAA test server with an user and it's successful, but the client doesnt join to the network, I dont have termination enabled in my dot1x profile and the conditions in the remote policies are the same as Howard posted (for PEAP), may you please post the screenshot  of the remote policy config and the client config, I'm really confused because all seems to be ok, I've read a lot of posts but I cant achieve this. 


Thanks in advance.



Guru Elite

Re: Restricting Authentication Type on SSID

Please get EAP-PEAP working first and then layer in TLS when you have that working.  Have you seen the Microsoft Guides on the IAS and NPS server in the forums?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba Technical Webinars
Occasional Contributor II

Re: Restricting Authentication Type on SSID

Im following your advise Colin, but the EAP-PEAP Auth is not working either, Im attaching the NPS configuration and the logs from "show log security" when I try to authenticate with an user. Please let me know what Im doing wrong to move forward to TLS authentication. Thanks in advance.



Search Airheads
Showing results for 
Search instead for 
Did you mean: